Heroku-20 and Heroku-22 stack images updated

Change effective on 11 October 2023

We have updated the heroku-20 and heroku-22 stack images to pick up security fixes in upstream packages.

This includes fixes for the curl/libcurl CVEs announced today, including CVE-2023-38545 and CVE-2023-38546.

The new stack images will be rolled out automatically to the Common Runtime over the next 24 hours, followed by Private Spaces.

If you are using Heroku’s default buildpack-powered build system/stacks you do not need to redeploy your app to pick up these changes, since your application’s slug is applied on top of the most recent stack image each time a dyno starts. Currently running dynos will be automatically restarted, so there is no need to manually restart your app.

If your app instead uses Heroku’s container stack (most apps do not), you will need to rebuild your app’s Docker image in order to pick up any updates in the base image specified in your Dockerfile.

See this Dev Center article for an overview of the packages available in each stack image.

Changelog of packages

Stack: heroku-20

  • Updated curl from version 7.68.0-1ubuntu2.19 to 7.68.0-1ubuntu2.20
  • Updated libc-bin from version 2.31-0ubuntu9.9 to 2.31-0ubuntu9.12
  • Updated libc-dev-bin from version 2.31-0ubuntu9.9 to 2.31-0ubuntu9.12
  • Updated libc6 from version 2.31-0ubuntu9.9 to 2.31-0ubuntu9.12
  • Updated libc6-dev from version 2.31-0ubuntu9.9 to 2.31-0ubuntu9.12
  • Updated libcurl3-gnutls from version 7.68.0-1ubuntu2.19 to 7.68.0-1ubuntu2.20
  • Updated libcurl4 from version 7.68.0-1ubuntu2.19 to 7.68.0-1ubuntu2.20
  • Updated libtiff5 from version 4.1.0+git191117-2ubuntu0.20.04.9 to 4.1.0+git191117-2ubuntu0.20.04.10
  • Updated libvpx6 from version 1.8.2-1build1 to 1.8.2-1ubuntu0.2
  • Updated libx11-6 from version 2:1.6.9-2ubuntu1.5 to 2:1.6.9-2ubuntu1.6
  • Updated libx11-data from version 2:1.6.9-2ubuntu1.5 to 2:1.6.9-2ubuntu1.6
  • Updated libxpm4 from version 1:3.5.12-1ubuntu0.20.04.1 to 1:3.5.12-1ubuntu0.20.04.2
  • Updated linux-libc-dev from version 5.4.0-163.180 to 5.4.0-164.181
  • Updated locales from version 2.31-0ubuntu9.9 to 2.31-0ubuntu9.12

Updates to packages available at build time only

  • Updated libc6-i386 from version 2.31-0ubuntu9.9 to 2.31-0ubuntu9.12
  • Updated libcurl4-openssl-dev from version 7.68.0-1ubuntu2.19 to 7.68.0-1ubuntu2.20
  • Updated libtiff-dev from version 4.1.0+git191117-2ubuntu0.20.04.9 to 4.1.0+git191117-2ubuntu0.20.04.10
  • Updated libtiffxx5 from version 4.1.0+git191117-2ubuntu0.20.04.9 to 4.1.0+git191117-2ubuntu0.20.04.10
  • Updated libvpx-dev from version 1.8.2-1build1 to 1.8.2-1ubuntu0.2
  • Updated libx11-dev from version 2:1.6.9-2ubuntu1.5 to 2:1.6.9-2ubuntu1.6
  • Updated libxpm-dev from version 1:3.5.12-1ubuntu0.20.04.1 to 1:3.5.12-1ubuntu0.20.04.2

Stack: heroku-22

  • Updated curl from version 7.81.0-1ubuntu1.13 to 7.81.0-1ubuntu1.14
  • Updated libc-bin from version 2.35-0ubuntu3.3 to 2.35-0ubuntu3.4
  • Updated libc-dev-bin from version 2.35-0ubuntu3.3 to 2.35-0ubuntu3.4
  • Updated libc6 from version 2.35-0ubuntu3.3 to 2.35-0ubuntu3.4
  • Updated libc6-dev from version 2.35-0ubuntu3.3 to 2.35-0ubuntu3.4
  • Updated libcurl3-gnutls from version 7.81.0-1ubuntu1.13 to 7.81.0-1ubuntu1.14
  • Updated libcurl4 from version 7.81.0-1ubuntu1.13 to 7.81.0-1ubuntu1.14
  • Updated libtiff5 from version 4.3.0-6ubuntu0.5 to 4.3.0-6ubuntu0.6
  • Updated libvpx7 from version 1.11.0-2ubuntu2 to 1.11.0-2ubuntu2.2
  • Updated libx11-6 from version 2:1.7.5-1ubuntu0.2 to 2:1.7.5-1ubuntu0.3
  • Updated libx11-data from version 2:1.7.5-1ubuntu0.2 to 2:1.7.5-1ubuntu0.3
  • Updated libxpm4 from version 1:3.5.12-1ubuntu0.22.04.1 to 1:3.5.12-1ubuntu0.22.04.2
  • Updated linux-libc-dev from version 5.15.0-84.93 to 5.15.0-86.96
  • Updated locales from version 2.35-0ubuntu3.3 to 2.35-0ubuntu3.4

Updates to packages available at build time only

  • Updated libcurl4-openssl-dev from version 7.81.0-1ubuntu1.13 to 7.81.0-1ubuntu1.14
  • Updated libtiff-dev from version 4.3.0-6ubuntu0.5 to 4.3.0-6ubuntu0.6
  • Updated libtiffxx5 from version 4.3.0-6ubuntu0.5 to 4.3.0-6ubuntu0.6
  • Updated libvpx-dev from version 1.11.0-2ubuntu2 to 1.11.0-2ubuntu2.2
  • Updated libx11-dev from version 2:1.7.5-1ubuntu0.2 to 2:1.7.5-1ubuntu0.3
  • Updated libxpm-dev from version 1:3.5.12-1ubuntu0.22.04.1 to 1:3.5.12-1ubuntu0.22.04.2